npm - @culturefy/shared - Versions diffs - 1.0.38 → 1.0.40 - Mend

@culturefy/shared 1.0.38 → 1.0.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/build/cjs/constants/app.js +45 -0
package/build/cjs/constants/app.js.map +1 -0
package/build/cjs/constants/index.js +10 -0
package/build/cjs/constants/index.js.map +1 -0
package/build/cjs/index.js +6 -0
package/build/cjs/index.js.map +1 -1
package/build/cjs/middlewares/sample middleware.js +2 -0
package/build/cjs/middlewares/sample middleware.js.map +1 -0
package/build/cjs/middlewares/verify-middleware.js +202 -0
package/build/cjs/middlewares/verify-middleware.js.map +1 -0
package/build/cjs/types/app.js +2 -0
package/build/cjs/types/app.js.map +1 -0
package/build/cjs/types/middleware.js +2 -0
package/build/cjs/types/middleware.js.map +1 -0
package/build/cjs/utils/cookies.js +28 -0
package/build/cjs/utils/cookies.js.map +1 -0
package/build/cjs/utils/index.js +6 -0
package/build/cjs/utils/index.js.map +1 -1
package/build/cjs/utils/middleware.js +71 -0
package/build/cjs/utils/middleware.js.map +1 -0
package/build/esm/constants/app.js +41 -0
package/build/esm/constants/app.js.map +1 -0
package/build/esm/constants/index.js +2 -0
package/build/esm/constants/index.js.map +1 -0
package/build/esm/index.js +1 -0
package/build/esm/index.js.map +1 -1
package/build/esm/middlewares/sample middleware.js +2 -0
package/build/esm/middlewares/sample middleware.js.map +1 -0
package/build/esm/middlewares/verify-middleware.js +197 -0
package/build/esm/middlewares/verify-middleware.js.map +1 -0
package/build/esm/types/app.js +2 -0
package/build/esm/types/app.js.map +1 -0
package/build/esm/types/middleware.js +2 -0
package/build/esm/types/middleware.js.map +1 -0
package/build/esm/utils/cookies.js +24 -0
package/build/esm/utils/cookies.js.map +1 -0
package/build/esm/utils/index.js +1 -0
package/build/esm/utils/index.js.map +1 -1
package/build/esm/utils/middleware.js +65 -0
package/build/esm/utils/middleware.js.map +1 -0
package/build/src/constants/app.d.ts +2 -0
package/build/src/constants/app.js +38 -0
package/build/src/constants/app.js.map +1 -0
package/build/src/constants/index.d.ts +1 -0
package/build/src/constants/index.js +5 -0
package/build/src/constants/index.js.map +1 -0
package/build/src/index.d.ts +1 -0
package/build/src/index.js +1 -0
package/build/src/index.js.map +1 -1
package/build/src/middlewares/sample middleware.d.ts +0 -0
package/build/src/middlewares/sample middleware.js +2 -0
package/build/src/middlewares/sample middleware.js.map +1 -0
package/build/src/middlewares/verify-middleware.d.ts +2 -0
package/build/src/middlewares/verify-middleware.js +167 -0
package/build/src/middlewares/verify-middleware.js.map +1 -0
package/build/src/types/app.d.ts +29 -0
package/build/src/types/app.js +3 -0
package/build/src/types/app.js.map +1 -0
package/build/src/types/middleware.d.ts +3 -0
package/build/src/types/middleware.js +3 -0
package/build/src/types/middleware.js.map +1 -0
package/build/src/utils/cookies.d.ts +2 -0
package/build/src/utils/cookies.js +25 -0
package/build/src/utils/cookies.js.map +1 -0
package/build/src/utils/index.d.ts +1 -0
package/build/src/utils/index.js +1 -0
package/build/src/utils/index.js.map +1 -1
package/build/src/utils/middleware.d.ts +12 -0
package/build/src/utils/middleware.js +64 -0
package/build/src/utils/middleware.js.map +1 -0
package/package.json +1 -1
package/src/constants/app.ts +40 -0
package/src/constants/index.ts +1 -0
package/src/index.ts +2 -1
package/src/middlewares/sample middleware.ts +0 -0
package/src/middlewares/verify-middleware.ts +197 -0
package/src/types/app.ts +27 -0
package/src/types/middleware.ts +10 -0
package/src/utils/cookies.ts +24 -0
package/src/utils/index.ts +2 -1
package/src/utils/middleware.ts +70 -0

package/build/esm/middlewares/verify-middleware.js ADDED Viewed

@@ -0,0 +1,197 @@
+import { sendResponse } from "../utils";
+import { APP_MAP } from "../constants";
+import { jwtDecode } from "jwt-decode";
+import { setCookieKV } from "../utils/cookies";
+const apiURL = process.env.REFRESH_SESSION_URL || '';
+const parseCookieHeader = header => {
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const [k, ...rest] = part.trim().split("=");
+    if (!k) continue;
+    out[k] = decodeURIComponent(rest.join("=") || "");
+  }
+  return out;
+};
+export const verifyMw = async (req, ctx, next) => {
+  var _APP_MAP$appId, _p, _ref, _ref$state, _p$cfy_tid, _p$sub, _ref2, _p$cfy_bid, _ref3, _p$email, _p$name, _ref4, _p$resource_access$ex, _p$resource_access, _p$realm_access;
+  const appId = req.headers.get("app-id");
+  if (!appId || !(APP_MAP != null && (_APP_MAP$appId = APP_MAP[appId]) != null && _APP_MAP$appId.clientId)) {
+    return sendResponse(400, {
+      status: "bad_request",
+      reason: "invalid_app"
+    });
+  }
+  const expectedClientId = APP_MAP[appId].clientId;
+  // cookies
+  const cookies = parseCookieHeader(req.headers.get("cookie"));
+  const at = cookies[`__Secure-session-v1.${appId}.at`];
+  const rt = cookies[`__Secure-session-v1.${appId}.rt`];
+  if (!at && !rt) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "no_tokens"
+    });
+  }
+  // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)
+  let p;
+  try {
+    p = jwtDecode(at);
+  } catch (_unused) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "invalid_token"
+    });
+  }
+  if (!((_p = p) != null && _p.sid)) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "user_not_found"
+    });
+  }
+  const now = Math.floor(Date.now() / 1000);
+  // if (typeof p.exp === "number" && p.exp <= now) {
+  if (typeof p.exp === "number" && p.exp >= now) {
+    // Delegate to refresh helper; it will handle setting cookies/state or returning an error
+    return await getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);
+  }
+  // audience checks
+  const audOk = Array.isArray(p.aud) && p.aud.includes(expectedClientId) || typeof p.aud === "string" && (p.aud === expectedClientId || p.aud === "account") || p.azp === expectedClientId;
+  if (!audOk) {
+    return sendResponse(403, {
+      status: "forbidden",
+      reason: "audience_mismatch"
+    });
+  }
+  setCookieKV(ctx, 'ew', 'rre');
+  // pass data downstream
+  (_ref$state = (_ref = ctx).state) != null ? _ref$state : _ref.state = {};
+  const tenantId = (_p$cfy_tid = p.cfy_tid) != null ? _p$cfy_tid : p.iss ? new URL(p.iss).pathname.split("/").pop() : null;
+  ctx.state.auth = {
+    appId,
+    userId: (_p$sub = p.sub) != null ? _p$sub : null,
+    businessId: (_ref2 = (_p$cfy_bid = p.cfy_bid) != null ? _p$cfy_bid : tenantId) != null ? _ref2 : null,
+    tenantId,
+    email: (_ref3 = (_p$email = p.email) != null ? _p$email : p.preferred_username) != null ? _ref3 : null,
+    name: (_p$name = p.name) != null ? _p$name : undefined,
+    roles: (_ref4 = (_p$resource_access$ex = (_p$resource_access = p.resource_access) == null || (_p$resource_access = _p$resource_access[expectedClientId]) == null ? void 0 : _p$resource_access.roles) != null ? _p$resource_access$ex : (_p$realm_access = p.realm_access) == null ? void 0 : _p$realm_access.roles) != null ? _ref4 : [],
+    exp: p.exp
+  };
+  return next();
+};
+async function getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next) {
+  var _APP_MAP$appId$auth;
+  // Attempt server-side refresh using RT
+  if (!rt) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "expired_no_rt"
+    });
+  }
+  // Resolve realm for refresh
+  let realmId = (_APP_MAP$appId$auth = APP_MAP[appId].auth) == null ? void 0 : _APP_MAP$appId$auth.realm;
+  if (!realmId) {
+    try {
+      const issRealm = p != null && p.iss ? new URL(p.iss).pathname.split("/").pop() : undefined;
+      realmId = (p == null ? void 0 : p.cfy_tid) || issRealm || undefined;
+    } catch (_unused2) {
+      realmId = undefined;
+    }
+  }
+  if (!realmId) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "cannot_resolve_realm"
+    });
+  }
+  ctx.info("refreshing token payload ----------------------", {
+    realmId,
+    expectedClientId,
+    rt
+  });
+  // Call auth service to refresh
+  try {
+    var _ref5, _ref5$state, _p2$cfy_tid, _p2$sub, _ref6, _p2$cfy_bid, _ref7, _p2$email, _p2$name, _ref8, _p2$resource_access$e, _p2$resource_access, _p2$realm_access;
+    const resp = await fetch(apiURL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        realmId,
+        clientId: expectedClientId,
+        refresh_token: rt
+      })
+    });
+    if (!resp.ok) {
+      const text = await resp.text();
+      ctx.warn == null || ctx.warn(`refresh call failed: ${resp.status} ${text}`);
+      return sendResponse(401, {
+        status: "unauthenticated",
+        reason: "refresh_failed"
+      });
+    }
+    const payload = await resp.json();
+    const data = (payload == null ? void 0 : payload.data) || {};
+    const newAT = data.access_token;
+    const newRT = data.refresh_token;
+    if (!newAT || !newRT) {
+      return sendResponse(401, {
+        status: "unauthenticated",
+        reason: "invalid_refresh_response"
+      });
+    }
+    // Set refreshed cookies for client session
+    setCookieKV(ctx, `__Secure-session-v1.${appId}.at`, newAT);
+    setCookieKV(ctx, `__Secure-session-v1.${appId}.rt`, newRT);
+    // Decode new AT and proceed
+    let p2;
+    try {
+      p2 = jwtDecode(newAT);
+    } catch (_unused3) {
+      return sendResponse(401, {
+        status: "unauthenticated",
+        reason: "invalid_new_token"
+      });
+    }
+    const audOk2 = Array.isArray(p2.aud) && p2.aud.includes(expectedClientId) || typeof p2.aud === "string" && (p2.aud === expectedClientId || p2.aud === "account") || p2.azp === expectedClientId;
+    if (!audOk2) {
+      return sendResponse(403, {
+        status: "forbidden",
+        reason: "audience_mismatch"
+      });
+    }
+    // Update downstream auth state with refreshed token
+    (_ref5$state = (_ref5 = ctx).state) != null ? _ref5$state : _ref5.state = {};
+    const tenantId2 = (_p2$cfy_tid = p2.cfy_tid) != null ? _p2$cfy_tid : p2.iss ? new URL(p2.iss).pathname.split("/").pop() : null;
+    ctx.state.auth = {
+      appId,
+      userId: (_p2$sub = p2.sub) != null ? _p2$sub : null,
+      businessId: (_ref6 = (_p2$cfy_bid = p2.cfy_bid) != null ? _p2$cfy_bid : tenantId2) != null ? _ref6 : null,
+      tenantId: tenantId2,
+      email: (_ref7 = (_p2$email = p2.email) != null ? _p2$email : p2.preferred_username) != null ? _ref7 : null,
+      name: (_p2$name = p2.name) != null ? _p2$name : undefined,
+      roles: (_ref8 = (_p2$resource_access$e = (_p2$resource_access = p2.resource_access) == null || (_p2$resource_access = _p2$resource_access[expectedClientId]) == null ? void 0 : _p2$resource_access.roles) != null ? _p2$resource_access$e : (_p2$realm_access = p2.realm_access) == null ? void 0 : _p2$realm_access.roles) != null ? _ref8 : [],
+      exp: p2.exp
+    };
+    // Continue pipeline after refresh
+    return next();
+  } catch (e) {
+    ctx.error == null || ctx.error("refresh exception", e);
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "refresh_exception"
+    });
+  }
+}
+//# sourceMappingURL=verify-middleware.js.map

package/build/esm/middlewares/verify-middleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"verify-middleware.js","names":["sendResponse","APP_MAP","jwtDecode","setCookieKV","apiURL","process","env","REFRESH_SESSION_URL","parseCookieHeader","header","out","part","split","k","rest","trim","decodeURIComponent","join","verifyMw","req","ctx","next","_APP_MAP$appId","_p","_ref","_ref$state","_p$cfy_tid","_p$sub","_ref2","_p$cfy_bid","_ref3","_p$email","_p$name","_ref4","_p$resource_access$ex","_p$resource_access","_p$realm_access","appId","headers","get","clientId","status","reason","expectedClientId","cookies","at","rt","p","_unused","sid","now","Math","floor","Date","exp","getNewRefreshToken","audOk","Array","isArray","aud","includes","azp","state","tenantId","cfy_tid","iss","URL","pathname","pop","auth","userId","sub","businessId","cfy_bid","email","preferred_username","name","undefined","roles","resource_access","realm_access","_APP_MAP$appId$auth","realmId","realm","issRealm","_unused2","info","_ref5","_ref5$state","_p2$cfy_tid","_p2$sub","_ref6","_p2$cfy_bid","_ref7","_p2$email","_p2$name","_ref8","_p2$resource_access$e","_p2$resource_access","_p2$realm_access","resp","fetch","method","body","JSON","stringify","refresh_token","ok","text","warn","payload","json","data","newAT","access_token","newRT","p2","_unused3","audOk2","tenantId2","e","error"],"sources":["../../../src/middlewares/verify-middleware.ts"],"sourcesContent":["import { HttpResponseInit } from \"@azure/functions\";\nimport { HttpRequest } from \"@azure/functions\";\nimport { InvocationContext } from \"@azure/functions\";\nimport { sendResponse } from \"../utils\";\nimport { IMiddleware } from \"../types/middleware\";\nimport { IAppId } from \"../types/app\";\nimport { APP_MAP } from \"../constants\";\nimport { jwtDecode } from \"jwt-decode\";\nimport { setCookieKV } from \"../utils/cookies\";\n\nconst apiURL = process.env.REFRESH_SESSION_URL || ''\n\nconst parseCookieHeader = (header: string | null | undefined) => {\n const out: Record<string, string> = {};\n if (!header) return out;\n for (const part of header.split(\";\")) {\n const [k, ...rest] = part.trim().split(\"=\");\n if (!k) continue;\n out[k] = decodeURIComponent(rest.join(\"=\") || \"\");\n }\n return out;\n};\n\nexport const verifyMw: IMiddleware = async (\n req: HttpRequest,\n ctx: InvocationContext,\n next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> => {\n const appId = req.headers.get(\"app-id\") as IAppId | undefined;\n\n if (!appId || !APP_MAP?.[appId]?.clientId) {\n return sendResponse(400, { status: \"bad_request\", reason: \"invalid_app\" });\n }\n \n const expectedClientId = APP_MAP[appId].clientId;\n\n // cookies\n const cookies = parseCookieHeader(req.headers.get(\"cookie\"));\n const at = cookies[`__Secure-session-v1.${appId}.at`];\n const rt = cookies[`__Secure-session-v1.${appId}.rt`];\n\n if (!at && !rt) {\n return sendResponse(401, { status: \"unauthenticated\", reason: \"no_tokens\" });\n }\n\n // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)\n let p: any;\n try {\n p = jwtDecode(at);\n } catch {\n return sendResponse(401, { status: \"unauthenticated\", reason: \"invalid_token\" });\n }\n\n if (!p?.sid) {\n return sendResponse(401, { status: \"unauthenticated\", reason: \"user_not_found\" });\n }\n\n const now = Math.floor(Date.now() / 1000);\n // if (typeof p.exp === \"number\" && p.exp <= now) {\n if (typeof p.exp === \"number\" && p.exp >= now) {\n // Delegate to refresh helper; it will handle setting cookies/state or returning an error\n return await getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);\n }\n\n // audience checks\n const audOk =\n (Array.isArray(p.aud) && p.aud.includes(expectedClientId)) ||\n (typeof p.aud === \"string\" && (p.aud === expectedClientId || p.aud === \"account\")) ||\n p.azp === expectedClientId;\n\n if (!audOk) {\n return sendResponse(403, { status: \"forbidden\", reason: \"audience_mismatch\" });\n }\n\n\n setCookieKV(ctx, 'ew','rre');\n\n // pass data downstream\n (ctx as any).state ??= {};\n const tenantId = p.cfy_tid ?? (p.iss ? new URL(p.iss).pathname.split(\"/\").pop() : null);\n\n (ctx as any).state.auth = {\n appId,\n userId: p.sub ?? null,\n businessId: p.cfy_bid ?? tenantId ?? null,\n tenantId,\n email: p.email ?? p.preferred_username ?? null,\n name: p.name ?? undefined,\n roles: p.resource_access?.[expectedClientId]?.roles ?? p.realm_access?.roles ?? [],\n exp: p.exp,\n };\n\n return next();\n};\n\n\n\nasync function getNewRefreshToken(\n req: HttpRequest,\n ctx: InvocationContext,\n appId: IAppId,\n expectedClientId: string,\n rt: string | undefined,\n p: any,\n next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> {\n // Attempt server-side refresh using RT\n if (!rt) {\n return sendResponse(401, { status: \"unauthenticated\", reason: \"expired_no_rt\" });\n }\n\n // Resolve realm for refresh\n let realmId: string | undefined = APP_MAP[appId].auth?.realm;\n if (!realmId) {\n try {\n const issRealm = p?.iss ? new URL(p.iss).pathname.split(\"/\").pop() : undefined;\n realmId = (p as any)?.cfy_tid || issRealm || undefined;\n } catch {\n realmId = undefined;\n }\n }\n\n if (!realmId) {\n return sendResponse(401, { status: \"unauthenticated\", reason: \"cannot_resolve_realm\" });\n }\n\n ctx.info(\"refreshing token payload ----------------------\", {\n realmId,\n expectedClientId,\n rt\n });\n\n\n // Call auth service to refresh\n try {\n const resp = await fetch(apiURL, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ \n realmId, \n clientId: expectedClientId, \n refresh_token: rt\n })\n });\n\n if (!resp.ok) {\n const text = await resp.text();\n ctx.warn?.(`refresh call failed: ${resp.status} ${text}`);\n return sendResponse(401, { status: \"unauthenticated\", reason: \"refresh_failed\" });\n }\n\n\n const payload = await resp.json();\n const data = payload?.data || {};\n const newAT = data.access_token as string | undefined;\n const newRT = data.refresh_token as string | undefined;\n if (!newAT || !newRT) {\n return sendResponse(401, { status: \"unauthenticated\", reason: \"invalid_refresh_response\" });\n }\n\n // Set refreshed cookies for client session\n setCookieKV(ctx, `__Secure-session-v1.${appId}.at`, newAT);\n setCookieKV(ctx, `__Secure-session-v1.${appId}.rt`, newRT);\n\n // Decode new AT and proceed\n let p2: any;\n try { p2 = jwtDecode(newAT); } catch { return sendResponse(401, { status: \"unauthenticated\", reason: \"invalid_new_token\" }); }\n\n const audOk2 =\n (Array.isArray(p2.aud) && p2.aud.includes(expectedClientId)) ||\n (typeof p2.aud === \"string\" && (p2.aud === expectedClientId || p2.aud === \"account\")) ||\n p2.azp === expectedClientId;\n if (!audOk2) {\n return sendResponse(403, { status: \"forbidden\", reason: \"audience_mismatch\" });\n }\n\n // Update downstream auth state with refreshed token\n (ctx as any).state ??= {};\n const tenantId2 = p2.cfy_tid ?? (p2.iss ? new URL(p2.iss).pathname.split(\"/\").pop() : null);\n (ctx as any).state.auth = {\n appId,\n userId: p2.sub ?? null,\n businessId: p2.cfy_bid ?? tenantId2 ?? null,\n tenantId: tenantId2,\n email: p2.email ?? p2.preferred_username ?? null,\n name: p2.name ?? undefined,\n roles: p2.resource_access?.[expectedClientId]?.roles ?? p2.realm_access?.roles ?? [],\n exp: p2.exp,\n };\n\n // Continue pipeline after refresh\n return next();\n } catch (e) {\n ctx.error?.(\"refresh exception\", e as any);\n return sendResponse(401, { status: \"unauthenticated\", reason: \"refresh_exception\" });\n }\n}"],"mappings":"AAGA,SAASA,YAAY,QAAQ,UAAU;AAGvC,SAASC,OAAO,QAAQ,cAAc;AACtC,SAASC,SAAS,QAAQ,YAAY;AACtC,SAASC,WAAW,QAAQ,kBAAkB;AAE9C,MAAMC,MAAM,GAAGC,OAAO,CAACC,GAAG,CAACC,mBAAmB,IAAI,EAAE;AAEpD,MAAMC,iBAAiB,GAAIC,MAAiC,IAAK;EAC/D,MAAMC,GAA2B,GAAG,CAAC,CAAC;EACtC,IAAI,CAACD,MAAM,EAAE,OAAOC,GAAG;EACvB,KAAK,MAAMC,IAAI,IAAIF,MAAM,CAACG,KAAK,CAAC,GAAG,CAAC,EAAE;IACpC,MAAM,CAACC,CAAC,EAAE,GAAGC,IAAI,CAAC,GAAGH,IAAI,CAACI,IAAI,CAAC,CAAC,CAACH,KAAK,CAAC,GAAG,CAAC;IAC3C,IAAI,CAACC,CAAC,EAAE;IACRH,GAAG,CAACG,CAAC,CAAC,GAAGG,kBAAkB,CAACF,IAAI,CAACG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;EACnD;EACA,OAAOP,GAAG;AACZ,CAAC;AAED,OAAO,MAAMQ,QAAqB,GAAG,MAAAA,CACnCC,GAAgB,EAChBC,GAAsB,EACtBC,IAAqC,KACP;EAAA,IAAAC,cAAA,EAAAC,EAAA,EAAAC,IAAA,EAAAC,UAAA,EAAAC,UAAA,EAAAC,MAAA,EAAAC,KAAA,EAAAC,UAAA,EAAAC,KAAA,EAAAC,QAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,kBAAA,EAAAC,eAAA;EAC9B,MAAMC,KAAK,GAAGlB,GAAG,CAACmB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAuB;EAE7D,IAAI,CAACF,KAAK,IAAI,EAACpC,OAAO,aAAAqB,cAAA,GAAPrB,OAAO,CAAGoC,KAAK,CAAC,aAAhBf,cAAA,CAAkBkB,QAAQ,GAAE;IACzC,OAAOxC,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,aAAa;MAAEC,MAAM,EAAE;IAAc,CAAC,CAAC;EAC5E;EAEA,MAAMC,gBAAgB,GAAG1C,OAAO,CAACoC,KAAK,CAAC,CAACG,QAAQ;;EAEhD;EACA,MAAMI,OAAO,GAAGpC,iBAAiB,CAACW,GAAG,CAACmB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,CAAC;EAC5D,MAAMM,EAAE,GAAGD,OAAO,CAAC,uBAAuBP,KAAK,KAAK,CAAC;EACrD,MAAMS,EAAE,GAAGF,OAAO,CAAC,uBAAuBP,KAAK,KAAK,CAAC;EAErD,IAAI,CAACQ,EAAE,IAAI,CAACC,EAAE,EAAE;IACd,OAAO9C,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAY,CAAC,CAAC;EAC9E;;EAEA;EACA,IAAIK,CAAM;EACV,IAAI;IACFA,CAAC,GAAG7C,SAAS,CAAC2C,EAAE,CAAC;EACnB,CAAC,CAAC,OAAAG,OAAA,EAAM;IACN,OAAOhD,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAgB,CAAC,CAAC;EAClF;EAEA,IAAI,GAAAnB,EAAA,GAACwB,CAAC,aAADxB,EAAA,CAAG0B,GAAG,GAAE;IACX,OAAOjD,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAiB,CAAC,CAAC;EACnF;EAEA,MAAMQ,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EACzC;EACA,IAAI,OAAOH,CAAC,CAACO,GAAG,KAAK,QAAQ,IAAIP,CAAC,CAACO,GAAG,IAAIJ,GAAG,EAAE;IAC7C;IACA,OAAO,MAAMK,kBAAkB,CAACpC,GAAG,EAAEC,GAAG,EAAEiB,KAAK,EAAEM,gBAAgB,EAAEG,EAAE,EAAEC,CAAC,EAAE1B,IAAI,CAAC;EACjF;;EAEA;EACA,MAAMmC,KAAK,GACRC,KAAK,CAACC,OAAO,CAACX,CAAC,CAACY,GAAG,CAAC,IAAIZ,CAAC,CAACY,GAAG,CAACC,QAAQ,CAACjB,gBAAgB,CAAC,IACxD,OAAOI,CAAC,CAACY,GAAG,KAAK,QAAQ,KAAKZ,CAAC,CAACY,GAAG,KAAKhB,gBAAgB,IAAII,CAAC,CAACY,GAAG,KAAK,SAAS,CAAE,IAClFZ,CAAC,CAACc,GAAG,KAAKlB,gBAAgB;EAE5B,IAAI,CAACa,KAAK,EAAE;IACV,OAAOxD,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,WAAW;MAAEC,MAAM,EAAE;IAAoB,CAAC,CAAC;EAChF;EAGAvC,WAAW,CAACiB,GAAG,EAAE,IAAI,EAAC,KAAK,CAAC;;EAE5B;EACA,CAAAK,UAAA,IAAAD,IAAA,GAACJ,GAAG,EAAS0C,KAAK,YAAArC,UAAA,GAAlBD,IAAA,CAAasC,KAAK,GAAK,CAAC,CAAC;EACzB,MAAMC,QAAQ,IAAArC,UAAA,GAAGqB,CAAC,CAACiB,OAAO,YAAAtC,UAAA,GAAKqB,CAAC,CAACkB,GAAG,GAAG,IAAIC,GAAG,CAACnB,CAAC,CAACkB,GAAG,CAAC,CAACE,QAAQ,CAACvD,KAAK,CAAC,GAAG,CAAC,CAACwD,GAAG,CAAC,CAAC,GAAG,IAAK;EAEtFhD,GAAG,CAAS0C,KAAK,CAACO,IAAI,GAAG;IACxBhC,KAAK;IACLiC,MAAM,GAAA3C,MAAA,GAAEoB,CAAC,CAACwB,GAAG,YAAA5C,MAAA,GAAI,IAAI;IACrB6C,UAAU,GAAA5C,KAAA,IAAAC,UAAA,GAAEkB,CAAC,CAAC0B,OAAO,YAAA5C,UAAA,GAAIkC,QAAQ,YAAAnC,KAAA,GAAI,IAAI;IACzCmC,QAAQ;IACRW,KAAK,GAAA5C,KAAA,IAAAC,QAAA,GAAEgB,CAAC,CAAC2B,KAAK,YAAA3C,QAAA,GAAIgB,CAAC,CAAC4B,kBAAkB,YAAA7C,KAAA,GAAI,IAAI;IAC9C8C,IAAI,GAAA5C,OAAA,GAAEe,CAAC,CAAC6B,IAAI,YAAA5C,OAAA,GAAI6C,SAAS;IACzBC,KAAK,GAAA7C,KAAA,IAAAC,qBAAA,IAAAC,kBAAA,GAAEY,CAAC,CAACgC,eAAe,cAAA5C,kBAAA,GAAjBA,kBAAA,CAAoBQ,gBAAgB,CAAC,qBAArCR,kBAAA,CAAuC2C,KAAK,YAAA5C,qBAAA,IAAAE,eAAA,GAAIW,CAAC,CAACiC,YAAY,qBAAd5C,eAAA,CAAgB0C,KAAK,YAAA7C,KAAA,GAAI,EAAE;IAClFqB,GAAG,EAAEP,CAAC,CAACO;EACT,CAAC;EAED,OAAOjC,IAAI,CAAC,CAAC;AACf,CAAC;AAID,eAAekC,kBAAkBA,CAC/BpC,GAAgB,EAChBC,GAAsB,EACtBiB,KAAa,EACbM,gBAAwB,EACxBG,EAAsB,EACtBC,CAAM,EACN1B,IAAqC,EACV;EAAA,IAAA4D,mBAAA;EAC3B;EACA,IAAI,CAACnC,EAAE,EAAE;IACP,OAAO9C,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAgB,CAAC,CAAC;EAClF;;EAEA;EACA,IAAIwC,OAA2B,IAAAD,mBAAA,GAAGhF,OAAO,CAACoC,KAAK,CAAC,CAACgC,IAAI,qBAAnBY,mBAAA,CAAqBE,KAAK;EAC5D,IAAI,CAACD,OAAO,EAAE;IACZ,IAAI;MACF,MAAME,QAAQ,GAAGrC,CAAC,YAADA,CAAC,CAAEkB,GAAG,GAAG,IAAIC,GAAG,CAACnB,CAAC,CAACkB,GAAG,CAAC,CAACE,QAAQ,CAACvD,KAAK,CAAC,GAAG,CAAC,CAACwD,GAAG,CAAC,CAAC,GAAGS,SAAS;MAC9EK,OAAO,GAAG,CAACnC,CAAC,oBAADA,CAAC,CAAUiB,OAAO,KAAIoB,QAAQ,IAAIP,SAAS;IACxD,CAAC,CAAC,OAAAQ,QAAA,EAAM;MACNH,OAAO,GAAGL,SAAS;IACrB;EACF;EAEA,IAAI,CAACK,OAAO,EAAE;IACZ,OAAOlF,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAuB,CAAC,CAAC;EACzF;EAEAtB,GAAG,CAACkE,IAAI,CAAC,iDAAiD,EAAE;IAC1DJ,OAAO;IACPvC,gBAAgB;IAChBG;EACF,CAAC,CAAC;;EAGF;EACA,IAAI;IAAA,IAAAyC,KAAA,EAAAC,WAAA,EAAAC,WAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,WAAA,EAAAC,KAAA,EAAAC,SAAA,EAAAC,QAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,mBAAA,EAAAC,gBAAA;IACF,MAAMC,IAAI,GAAG,MAAMC,KAAK,CAACjG,MAAM,EAAE;MAC/BkG,MAAM,EAAE,MAAM;MACdhE,OAAO,EAAE;QAAE,cAAc,EAAE;MAAmB,CAAC;MAC/CiE,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QACnBvB,OAAO;QACP1C,QAAQ,EAAEG,gBAAgB;QAC1B+D,aAAa,EAAE5D;MACjB,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,CAACsD,IAAI,CAACO,EAAE,EAAE;MACZ,MAAMC,IAAI,GAAG,MAAMR,IAAI,CAACQ,IAAI,CAAC,CAAC;MAC9BxF,GAAG,CAACyF,IAAI,YAARzF,GAAG,CAACyF,IAAI,CAAG,wBAAwBT,IAAI,CAAC3D,MAAM,IAAImE,IAAI,EAAE,CAAC;MACzD,OAAO5G,YAAY,CAAC,GAAG,EAAE;QAAEyC,MAAM,EAAE,iBAAiB;QAAEC,MAAM,EAAE;MAAiB,CAAC,CAAC;IACnF;IAGA,MAAMoE,OAAO,GAAG,MAAMV,IAAI,CAACW,IAAI,CAAC,CAAC;IACjC,MAAMC,IAAI,GAAG,CAAAF,OAAO,oBAAPA,OAAO,CAAEE,IAAI,KAAI,CAAC,CAAC;IAChC,MAAMC,KAAK,GAAGD,IAAI,CAACE,YAAkC;IACrD,MAAMC,KAAK,GAAGH,IAAI,CAACN,aAAmC;IACtD,IAAI,CAACO,KAAK,IAAI,CAACE,KAAK,EAAE;MACpB,OAAOnH,YAAY,CAAC,GAAG,EAAE;QAAEyC,MAAM,EAAE,iBAAiB;QAAEC,MAAM,EAAE;MAA2B,CAAC,CAAC;IAC7F;;IAEA;IACAvC,WAAW,CAACiB,GAAG,EAAE,uBAAuBiB,KAAK,KAAK,EAAE4E,KAAK,CAAC;IAC1D9G,WAAW,CAACiB,GAAG,EAAE,uBAAuBiB,KAAK,KAAK,EAAE8E,KAAK,CAAC;;IAE1D;IACA,IAAIC,EAAO;IACX,IAAI;MAAEA,EAAE,GAAGlH,SAAS,CAAC+G,KAAK,CAAC;IAAE,CAAC,CAAC,OAAAI,QAAA,EAAM;MAAE,OAAOrH,YAAY,CAAC,GAAG,EAAE;QAAEyC,MAAM,EAAE,iBAAiB;QAAEC,MAAM,EAAE;MAAoB,CAAC,CAAC;IAAE;IAE7H,MAAM4E,MAAM,GACT7D,KAAK,CAACC,OAAO,CAAC0D,EAAE,CAACzD,GAAG,CAAC,IAAIyD,EAAE,CAACzD,GAAG,CAACC,QAAQ,CAACjB,gBAAgB,CAAC,IAC1D,OAAOyE,EAAE,CAACzD,GAAG,KAAK,QAAQ,KAAKyD,EAAE,CAACzD,GAAG,KAAKhB,gBAAgB,IAAIyE,EAAE,CAACzD,GAAG,KAAK,SAAS,CAAE,IACrFyD,EAAE,CAACvD,GAAG,KAAKlB,gBAAgB;IAC7B,IAAI,CAAC2E,MAAM,EAAE;MACX,OAAOtH,YAAY,CAAC,GAAG,EAAE;QAAEyC,MAAM,EAAE,WAAW;QAAEC,MAAM,EAAE;MAAoB,CAAC,CAAC;IAChF;;IAEA;IACA,CAAA8C,WAAA,IAAAD,KAAA,GAACnE,GAAG,EAAS0C,KAAK,YAAA0B,WAAA,GAAlBD,KAAA,CAAazB,KAAK,GAAK,CAAC,CAAC;IACzB,MAAMyD,SAAS,IAAA9B,WAAA,GAAG2B,EAAE,CAACpD,OAAO,YAAAyB,WAAA,GAAK2B,EAAE,CAACnD,GAAG,GAAG,IAAIC,GAAG,CAACkD,EAAE,CAACnD,GAAG,CAAC,CAACE,QAAQ,CAACvD,KAAK,CAAC,GAAG,CAAC,CAACwD,GAAG,CAAC,CAAC,GAAG,IAAK;IAC1FhD,GAAG,CAAS0C,KAAK,CAACO,IAAI,GAAG;MACxBhC,KAAK;MACLiC,MAAM,GAAAoB,OAAA,GAAE0B,EAAE,CAAC7C,GAAG,YAAAmB,OAAA,GAAI,IAAI;MACtBlB,UAAU,GAAAmB,KAAA,IAAAC,WAAA,GAAEwB,EAAE,CAAC3C,OAAO,YAAAmB,WAAA,GAAI2B,SAAS,YAAA5B,KAAA,GAAI,IAAI;MAC3C5B,QAAQ,EAAEwD,SAAS;MACnB7C,KAAK,GAAAmB,KAAA,IAAAC,SAAA,GAAEsB,EAAE,CAAC1C,KAAK,YAAAoB,SAAA,GAAIsB,EAAE,CAACzC,kBAAkB,YAAAkB,KAAA,GAAI,IAAI;MAChDjB,IAAI,GAAAmB,QAAA,GAAEqB,EAAE,CAACxC,IAAI,YAAAmB,QAAA,GAAIlB,SAAS;MAC1BC,KAAK,GAAAkB,KAAA,IAAAC,qBAAA,IAAAC,mBAAA,GAAEkB,EAAE,CAACrC,eAAe,cAAAmB,mBAAA,GAAlBA,mBAAA,CAAqBvD,gBAAgB,CAAC,qBAAtCuD,mBAAA,CAAwCpB,KAAK,YAAAmB,qBAAA,IAAAE,gBAAA,GAAIiB,EAAE,CAACpC,YAAY,qBAAfmB,gBAAA,CAAiBrB,KAAK,YAAAkB,KAAA,GAAI,EAAE;MACpF1C,GAAG,EAAE8D,EAAE,CAAC9D;IACV,CAAC;;IAED;IACA,OAAOjC,IAAI,CAAC,CAAC;EACf,CAAC,CAAC,OAAOmG,CAAC,EAAE;IACVpG,GAAG,CAACqG,KAAK,YAATrG,GAAG,CAACqG,KAAK,CAAG,mBAAmB,EAAED,CAAQ,CAAC;IAC1C,OAAOxH,YAAY,CAAC,GAAG,EAAE;MAAEyC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAoB,CAAC,CAAC;EACtF;AACF","ignoreList":[]}

package/build/esm/types/app.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=app.js.map

package/build/esm/types/app.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"app.js","names":[],"sources":["../../../src/types/app.ts"],"sourcesContent":["export type IAppId = \"3238hxa2\";\n\nexport interface IDomainMappings {\n domains: Record<string, string[]>;\n clientId: string;\n appId: string;\n name: string;\n exclude: Record<string, string[]>;\n cookie: {\n prefix: string;\n domain: {\n local: string | null;\n dev: string;\n staging: string;\n prod: string;\n };\n path: string;\n sameSite: string;\n secure: boolean;\n httpOnly: boolean;\n maxAgeSec: { sid: number; rt: number };\n };\n auth?: {\n realm: string;\n clientId: string;\n };\n}"],"mappings":"","ignoreList":[]}

package/build/esm/types/middleware.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=middleware.js.map

package/build/esm/types/middleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.js","names":[],"sources":["../../../src/types/middleware.ts"],"sourcesContent":["import { HttpRequest, HttpResponseInit, InvocationContext } from \"@azure/functions\";\n\n\nexport type IMiddleware = (\n req: HttpRequest,\n ctx: InvocationContext,\n next: () => Promise<HttpResponseInit>\n) => Promise<HttpResponseInit>;\n\nexport type IHandler = (req: HttpRequest, ctx: InvocationContext) => Promise<HttpResponseInit>;"],"mappings":"","ignoreList":[]}

package/build/esm/utils/cookies.js ADDED Viewed

@@ -0,0 +1,24 @@
+export function setCookieKV(ctx, key, value) {
+  var _ref, _ref$CTX_COOKIES_OBJ, _ref2, _ref2$CTX_COOKIES;
+  // Object-cookie bag (preferred)
+  const CTX_COOKIES_OBJ = Symbol.for("cfy.resCookies.obj");
+  // @ts-ignore
+  const objBag = (_ref$CTX_COOKIES_OBJ = (_ref = ctx)[CTX_COOKIES_OBJ]) != null ? _ref$CTX_COOKIES_OBJ : _ref[CTX_COOKIES_OBJ] = [];
+  objBag.push({
+    name: key,
+    value,
+    path: "/",
+    httpOnly: true,
+    secure: true,
+    // drop to false if testing on http://
+    sameSite: "None",
+    // use "Lax" for same-site
+    maxAge: 300 // seconds
+  });
+  // (Optional) Keep your string fallback too:
+  const CTX_COOKIES = Symbol.for("cfy.resCookies");
+  const strBag = (_ref2$CTX_COOKIES = (_ref2 = ctx)[CTX_COOKIES]) != null ? _ref2$CTX_COOKIES : _ref2[CTX_COOKIES] = [];
+  strBag.push(`${encodeURIComponent(key)}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=None; Secure; Max-Age=300`);
+}
+//# sourceMappingURL=cookies.js.map

package/build/esm/utils/cookies.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cookies.js","names":["setCookieKV","ctx","key","value","_ref","_ref$CTX_COOKIES_OBJ","_ref2","_ref2$CTX_COOKIES","CTX_COOKIES_OBJ","Symbol","for","objBag","push","name","path","httpOnly","secure","sameSite","maxAge","CTX_COOKIES","strBag","encodeURIComponent"],"sources":["../../../src/utils/cookies.ts"],"sourcesContent":["import { InvocationContext } from \"@azure/functions\";\n\nexport function setCookieKV(ctx: InvocationContext, key: string, value: string): void {\n // Object-cookie bag (preferred)\n const CTX_COOKIES_OBJ = Symbol.for(\"cfy.resCookies.obj\");\n // @ts-ignore\n const objBag = ((ctx as any)[CTX_COOKIES_OBJ] ??= [] as HttpCookie[]);\n objBag.push({\n name: key,\n value,\n path: \"/\",\n httpOnly: true,\n secure: true, // drop to false if testing on http://\n sameSite: \"None\", // use \"Lax\" for same-site\n maxAge: 300, // seconds\n });\n\n // (Optional) Keep your string fallback too:\n const CTX_COOKIES = Symbol.for(\"cfy.resCookies\");\n const strBag = ((ctx as any)[CTX_COOKIES] ??= [] as string[]);\n strBag.push(\n `${encodeURIComponent(key)}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=None; Secure; Max-Age=300`\n );\n}"],"mappings":"AAEA,OAAO,SAASA,WAAWA,CAACC,GAAsB,EAAEC,GAAW,EAAEC,KAAa,EAAQ;EAAA,IAAAC,IAAA,EAAAC,oBAAA,EAAAC,KAAA,EAAAC,iBAAA;EACpF;EACA,MAAMC,eAAe,GAAGC,MAAM,CAACC,GAAG,CAAC,oBAAoB,CAAC;EACxD;EACA,MAAMC,MAAM,IAAAN,oBAAA,GAAI,CAAAD,IAAA,GAACH,GAAG,EAASO,eAAe,CAAC,YAAAH,oBAAA,GAA7BD,IAAA,CAAaI,eAAe,CAAC,GAAK,EAAmB;EACrEG,MAAM,CAACC,IAAI,CAAC;IACRC,IAAI,EAAEX,GAAG;IACTC,KAAK;IACLW,IAAI,EAAE,GAAG;IACTC,QAAQ,EAAE,IAAI;IACdC,MAAM,EAAE,IAAI;IAAQ;IACpBC,QAAQ,EAAE,MAAM;IAAI;IACpBC,MAAM,EAAE,GAAG,CAAS;EACxB,CAAC,CAAC;;EAEF;EACA,MAAMC,WAAW,GAAGV,MAAM,CAACC,GAAG,CAAC,gBAAgB,CAAC;EAChD,MAAMU,MAAM,IAAAb,iBAAA,GAAI,CAAAD,KAAA,GAACL,GAAG,EAASkB,WAAW,CAAC,YAAAZ,iBAAA,GAAzBD,KAAA,CAAaa,WAAW,CAAC,GAAK,EAAe;EAC7DC,MAAM,CAACR,IAAI,CACP,GAAGS,kBAAkB,CAACnB,GAAG,CAAC,IAAImB,kBAAkB,CAAClB,KAAK,CAAC,wDAC3D,CAAC;AACH","ignoreList":[]}

package/build/esm/utils/index.js CHANGED Viewed

@@ -3,4 +3,5 @@ export * from './response';
 export * from './initializers';
 export * from './mapper';
 export * from './jwt';
+export * from './middleware';
 //# sourceMappingURL=index.js.map

package/build/esm/utils/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":[],"sources":["../../../src/utils/index.ts"],"sourcesContent":["export * from './secrets';\nexport * from './response';\nexport * from './initializers';\nexport * from './mapper';\nexport * from './jwt';"],"mappings":"AAAA,cAAc,WAAW;AACzB,cAAc,YAAY;AAC1B,cAAc,gBAAgB;AAC9B,cAAc,UAAU;AACxB,cAAc,OAAO","ignoreList":[]}
1	+ {"version":3,"file":"index.js","names":[],"sources":["../../../src/utils/index.ts"],"sourcesContent":["export * from './secrets';\nexport * from './response';\nexport * from './initializers';\nexport * from './mapper';\nexport * from './jwt';\nexport * from './middleware';\n"],"mappings":"AAAA,cAAc,WAAW;AACzB,cAAc,YAAY;AAC1B,cAAc,gBAAgB;AAC9B,cAAc,UAAU;AACxB,cAAc,OAAO;AACrB,cAAc,cAAc","ignoreList":[]}

package/build/esm/utils/middleware.js ADDED Viewed

@@ -0,0 +1,65 @@
+function _extends() { return _extends = Object.assign ? Object.assign.bind() : function (n) { for (var e = 1; e < arguments.length; e++) { var t = arguments[e]; for (var r in t) ({}).hasOwnProperty.call(t, r) && (n[r] = t[r]); } return n; }, _extends.apply(null, arguments); }
+/**
+ * Compose Azure Functions middlewares (Koa-style).
+ * Each middleware gets (req, ctx, next) and must either:
+ *  - `return await next()` to pass-through, or
+ *  - `return <HttpResponseInit>` to short-circuit.
+ *
+ * Any headers/cookies accumulated on ctx via Symbol.for("cfy.resHeaders"/"cfy.resCookies")
+ * are merged into the final response.
+ */
+// ---- withMW (kept small; merges any ctx headers/cookies if you use them) ----
+export function withMW(middlewares, handler) {
+  return async (req, ctx) => {
+    var _res$headers;
+    const stack = [...middlewares, async (r, c) => handler(r, c)];
+    let index = -1;
+    const dispatch = async i => {
+      if (i <= index) throw new Error("next() called multiple times");
+      index = i;
+      const fn = stack[i];
+      if (!fn) throw new Error("No handler in middleware stack");
+      // next always returns a HttpResponseInit
+      const next = () => dispatch(i + 1);
+      const result = await fn(req, ctx, next);
+      if (result === undefined) {
+        throw new Error("Middleware must return a response or `return await next()`");
+      }
+      return result;
+    };
+    const res = await dispatch(0);
+    // optional: merge bags if you set them elsewhere
+    const CTX_HEADERS = Symbol.for("cfy.resHeaders");
+    const CTX_COOKIES = Symbol.for("cfy.resCookies"); // string[]
+    const CTX_COOKIES_OBJ = Symbol.for("cfy.resCookies.obj"); // HttpCookie[]
+    const merged = _extends({}, res, {
+      headers: _extends({}, (_res$headers = res.headers) != null ? _res$headers : {})
+    });
+    // merge cookies as objects (preferred by Azure Functions)
+    // @ts-ignore
+    const objCookies = ctx[CTX_COOKIES_OBJ];
+    if (objCookies != null && objCookies.length) {
+      var _res$cookies;
+      merged.cookies = [...((_res$cookies = res.cookies) != null ? _res$cookies : []), ...objCookies];
+    }
+    // (optional) header fallback for environments that expect Set-Cookie header(s)
+    const cookies = ctx[CTX_COOKIES];
+    if (cookies != null && cookies.length) {
+      var _h$SetCookie;
+      const h = merged.headers;
+      const existing = (_h$SetCookie = h["Set-Cookie"]) != null ? _h$SetCookie : h["set-cookie"];
+      h["Set-Cookie"] = existing ? Array.isArray(existing) ? existing.concat(cookies) : [existing, ...cookies] : cookies;
+    }
+    // merge extra headers if you use that bag
+    const extra = ctx[CTX_HEADERS];
+    if (extra) for (const [k, v] of Object.entries(extra)) merged.headers[k] = v;
+    return merged;
+  };
+}
+//# sourceMappingURL=middleware.js.map

package/build/esm/utils/middleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.js","names":["withMW","middlewares","handler","req","ctx","_res$headers","stack","r","c","index","dispatch","i","Error","fn","next","result","undefined","res","CTX_HEADERS","Symbol","for","CTX_COOKIES","CTX_COOKIES_OBJ","merged","_extends","headers","objCookies","length","_res$cookies","cookies","_h$SetCookie","h","existing","Array","isArray","concat","extra","k","v","Object","entries"],"sources":["../../../src/utils/middleware.ts"],"sourcesContent":["import { app, HttpRequest, HttpResponseInit, InvocationContext } from \"@azure/functions\";\nimport { IHandler, IMiddleware } from \"../types/middleware\";\n\n/**\n * Compose Azure Functions middlewares (Koa-style).\n * Each middleware gets (req, ctx, next) and must either:\n * - `return await next()` to pass-through, or\n * - `return <HttpResponseInit>` to short-circuit.\n *\n * Any headers/cookies accumulated on ctx via Symbol.for(\"cfy.resHeaders\"/\"cfy.resCookies\")\n * are merged into the final response.\n */\n// ---- withMW (kept small; merges any ctx headers/cookies if you use them) ----\nexport function withMW(middlewares: IMiddleware[], handler: IHandler) {\n return async (req: HttpRequest, ctx: InvocationContext): Promise<HttpResponseInit> => {\n const stack: IMiddleware[] = [...middlewares, async (r, c) => handler(r, c)];\n\n let index = -1;\n const dispatch = async (i: number): Promise<HttpResponseInit> => {\n if (i <= index) throw new Error(\"next() called multiple times\");\n index = i;\n\n const fn = stack[i];\n if (!fn) throw new Error(\"No handler in middleware stack\");\n\n // next always returns a HttpResponseInit\n const next = () => dispatch(i + 1);\n const result = await fn(req, ctx, next);\n\n if (result === undefined) {\n throw new Error(\"Middleware must return a response or `return await next()`\");\n }\n return result;\n };\n\n const res = await dispatch(0);\n\n // optional: merge bags if you set them elsewhere\n const CTX_HEADERS = Symbol.for(\"cfy.resHeaders\");\n const CTX_COOKIES = Symbol.for(\"cfy.resCookies\"); // string[]\n const CTX_COOKIES_OBJ = Symbol.for(\"cfy.resCookies.obj\"); // HttpCookie[]\n\n const merged: HttpResponseInit = { ...res, headers: { ...(res.headers ?? {}) } };\n\n // merge cookies as objects (preferred by Azure Functions)\n // @ts-ignore\n const objCookies = (ctx as any)[CTX_COOKIES_OBJ] as HttpCookie[] | undefined;\n if (objCookies?.length) {\n merged.cookies = [...(res.cookies ?? []), ...objCookies];\n }\n\n // (optional) header fallback for environments that expect Set-Cookie header(s)\n const cookies = (ctx as any)[CTX_COOKIES] as string[] | undefined;\n if (cookies?.length) {\n const h = merged.headers as any;\n const existing = h[\"Set-Cookie\"] ?? h[\"set-cookie\"];\n h[\"Set-Cookie\"] = existing\n ? (Array.isArray(existing) ? existing.concat(cookies) : [existing, ...cookies])\n : cookies;\n }\n\n // merge extra headers if you use that bag\n const extra = (ctx as any)[CTX_HEADERS] as Record<string, string | string[]> | undefined;\n if (extra) for (const [k, v] of Object.entries(extra)) (merged.headers as any)[k] = v;\n\n return merged;\n\n\n };\n}\n"],"mappings":";AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASA,MAAMA,CAACC,WAA0B,EAAEC,OAAiB,EAAE;EACpE,OAAO,OAAOC,GAAgB,EAAEC,GAAsB,KAAgC;IAAA,IAAAC,YAAA;IAClF,MAAMC,KAAoB,GAAG,CAAC,GAAGL,WAAW,EAAE,OAAOM,CAAC,EAAEC,CAAC,KAAKN,OAAO,CAACK,CAAC,EAAEC,CAAC,CAAC,CAAC;IAE5E,IAAIC,KAAK,GAAG,CAAC,CAAC;IACd,MAAMC,QAAQ,GAAG,MAAOC,CAAS,IAAgC;MAC7D,IAAIA,CAAC,IAAIF,KAAK,EAAE,MAAM,IAAIG,KAAK,CAAC,8BAA8B,CAAC;MAC/DH,KAAK,GAAGE,CAAC;MAET,MAAME,EAAE,GAAGP,KAAK,CAACK,CAAC,CAAC;MACnB,IAAI,CAACE,EAAE,EAAE,MAAM,IAAID,KAAK,CAAC,gCAAgC,CAAC;;MAE1D;MACA,MAAME,IAAI,GAAGA,CAAA,KAAMJ,QAAQ,CAACC,CAAC,GAAG,CAAC,CAAC;MAClC,MAAMI,MAAM,GAAG,MAAMF,EAAE,CAACV,GAAG,EAAEC,GAAG,EAAEU,IAAI,CAAC;MAEvC,IAAIC,MAAM,KAAKC,SAAS,EAAE;QACtB,MAAM,IAAIJ,KAAK,CAAC,4DAA4D,CAAC;MACjF;MACA,OAAOG,MAAM;IACjB,CAAC;IAED,MAAME,GAAG,GAAG,MAAMP,QAAQ,CAAC,CAAC,CAAC;;IAE7B;IACA,MAAMQ,WAAW,GAAGC,MAAM,CAACC,GAAG,CAAC,gBAAgB,CAAC;IAChD,MAAMC,WAAW,GAAGF,MAAM,CAACC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAO;IACxD,MAAME,eAAe,GAAGH,MAAM,CAACC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;;IAE1D,MAAMG,MAAwB,GAAAC,QAAA,KAAQP,GAAG;MAAEQ,OAAO,EAAAD,QAAA,MAAAnB,YAAA,GAAQY,GAAG,CAACQ,OAAO,YAAApB,YAAA,GAAI,CAAC,CAAC;IAAG,EAAE;;IAEhF;IACA;IACA,MAAMqB,UAAU,GAAItB,GAAG,CAASkB,eAAe,CAA6B;IAC5E,IAAII,UAAU,YAAVA,UAAU,CAAEC,MAAM,EAAE;MAAA,IAAAC,YAAA;MACpBL,MAAM,CAACM,OAAO,GAAG,CAAC,KAAAD,YAAA,GAAIX,GAAG,CAACY,OAAO,YAAAD,YAAA,GAAI,EAAE,CAAC,EAAE,GAAGF,UAAU,CAAC;IAC5D;;IAEA;IACA,MAAMG,OAAO,GAAIzB,GAAG,CAASiB,WAAW,CAAyB;IACjE,IAAIQ,OAAO,YAAPA,OAAO,CAAEF,MAAM,EAAE;MAAA,IAAAG,YAAA;MACjB,MAAMC,CAAC,GAAGR,MAAM,CAACE,OAAc;MAC/B,MAAMO,QAAQ,IAAAF,YAAA,GAAGC,CAAC,CAAC,YAAY,CAAC,YAAAD,YAAA,GAAIC,CAAC,CAAC,YAAY,CAAC;MACnDA,CAAC,CAAC,YAAY,CAAC,GAAGC,QAAQ,GACnBC,KAAK,CAACC,OAAO,CAACF,QAAQ,CAAC,GAAGA,QAAQ,CAACG,MAAM,CAACN,OAAO,CAAC,GAAG,CAACG,QAAQ,EAAE,GAAGH,OAAO,CAAC,GAC5EA,OAAO;IACjB;;IAEA;IACA,MAAMO,KAAK,GAAIhC,GAAG,CAASc,WAAW,CAAkD;IACxF,IAAIkB,KAAK,EAAE,KAAK,MAAM,CAACC,CAAC,EAAEC,CAAC,CAAC,IAAIC,MAAM,CAACC,OAAO,CAACJ,KAAK,CAAC,EAAGb,MAAM,CAACE,OAAO,CAASY,CAAC,CAAC,GAAGC,CAAC;IAErF,OAAOf,MAAM;EAGjB,CAAC;AACH","ignoreList":[]}

package/build/src/constants/app.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { IAppId, IDomainMappings } from "../types/app";
2	+ export declare const APP_MAP: Record<IAppId, IDomainMappings>;

package/build/src/constants/app.js ADDED Viewed

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.APP_MAP = void 0;
+exports.APP_MAP = {
+    '3238hxa2': {
+        appId: "3238hxa2",
+        name: "superadmin",
+        clientId: "cfy-superadmin-web",
+        domains: {
+            local: ["localhost:5173", "127.0.0.1:5173"],
+            dev: ["accounts.dev.culturefy.app"],
+            staging: ["accounts.staging.culturefy.app"],
+            prod: ["accounts.culturefy.app"]
+        },
+        auth: {
+            realm: "superadmin",
+            clientId: "cfy-superadmin-web",
+        },
+        exclude: {
+            prod: [] // e.g. add "app.culturefy.app" to prevent misrouting
+        },
+        cookie: {
+            prefix: "__Secure-auth",
+            domain: {
+                local: null, // host-bound in local
+                dev: ".culturefy.dev", // adjust to your dev root
+                staging: ".culturefy.staging", // adjust to your staging root
+                prod: ".culturefy.app"
+            },
+            path: "/",
+            sameSite: "None",
+            secure: true,
+            httpOnly: true,
+            maxAgeSec: { sid: 15 * 60, rt: 30 * 24 * 60 * 60 } // 15m / 30d
+        }
+    },
+};
+//# sourceMappingURL=app.js.map

package/build/src/constants/app.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"app.js","sourceRoot":"","sources":["../../../src/constants/app.ts"],"names":[],"mappings":";;;AAEa,QAAA,OAAO,GAAoC;IACtD,UAAU,EAAE;QACR,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,oBAAoB;QAC9B,OAAO,EAAE;YACL,KAAK,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;YAC3C,GAAG,EAAE,CAAC,4BAA4B,CAAC;YACnC,OAAO,EAAE,CAAC,gCAAgC,CAAC;YAC3C,IAAI,EAAE,CAAC,wBAAwB,CAAC;SACnC;QAED,IAAI,EAAE;YACF,KAAK,EAAE,YAAY;YACnB,QAAQ,EAAE,oBAAoB;SACjC;QAED,OAAO,EAAE;YACL,IAAI,EAAE,EAAE,CAAC,qDAAqD;SACjE;QACD,MAAM,EAAE;YACJ,MAAM,EAAE,eAAe;YACvB,MAAM,EAAE;gBACJ,KAAK,EAAE,IAAI,EAAE,sBAAsB;gBACnC,GAAG,EAAE,gBAAgB,EAAE,0BAA0B;gBACjD,OAAO,EAAE,oBAAoB,EAAE,8BAA8B;gBAC7D,IAAI,EAAE,gBAAgB;aACzB;YACD,IAAI,EAAE,GAAG;YACT,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,YAAY;SAClE;KAEJ;CAEF,CAAC"}

package/build/src/constants/index.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './app';

package/build/src/constants/index.js ADDED Viewed

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./app"), exports);
+//# sourceMappingURL=index.js.map

package/build/src/constants/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/constants/index.ts"],"names":[],"mappings":";;;AAAA,gDAAsB"}

package/build/src/index.d.ts CHANGED Viewed

@@ -2,3 +2,4 @@ export * from './types';
 export * from './enums';
 export * from './utils';
 export * from './middlewares';
+export * from './constants';

package/build/src/index.js CHANGED Viewed

@@ -5,4 +5,5 @@ tslib_1.__exportStar(require("./types"), exports);
 tslib_1.__exportStar(require("./enums"), exports);
 tslib_1.__exportStar(require("./utils"), exports);
 tslib_1.__exportStar(require("./middlewares"), exports);
+tslib_1.__exportStar(require("./constants"), exports);
 //# sourceMappingURL=index.js.map

package/build/src/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kDAAwB;AACxB,kDAAwB;AACxB,kDAAwB;AACxB,wDAA8B"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kDAAwB;AACxB,kDAAwB;AACxB,kDAAwB;AACxB,wDAA8B;AAC9B,sDAA4B"}

package/build/src/middlewares/sample middleware.d.ts ADDED Viewed

File without changes

package/build/src/middlewares/sample middleware.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ //# sourceMappingURL=sample%20middleware.js.map

package/build/src/middlewares/sample middleware.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sample middleware.js","sourceRoot":"","sources":["../../../src/middlewares/sample middleware.ts"],"names":[],"mappings":""}

package/build/src/middlewares/verify-middleware.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { IMiddleware } from "../types/middleware";
2	+ export declare const verifyMw: IMiddleware;

package/build/src/middlewares/verify-middleware.js ADDED Viewed

@@ -0,0 +1,167 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyMw = void 0;
+const tslib_1 = require("tslib");
+const utils_1 = require("../utils");
+const constants_1 = require("../constants");
+const jwt_decode_1 = require("jwt-decode");
+const cookies_1 = require("../utils/cookies");
+const apiURL = process.env.REFRESH_SESSION_URL || '';
+const parseCookieHeader = (header) => {
+    const out = {};
+    if (!header)
+        return out;
+    for (const part of header.split(";")) {
+        const [k, ...rest] = part.trim().split("=");
+        if (!k)
+            continue;
+        out[k] = decodeURIComponent(rest.join("=") || "");
+    }
+    return out;
+};
+const verifyMw = (req, ctx, next) => tslib_1.__awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p;
+    var _q;
+    const appId = req.headers.get("app-id");
+    if (!appId || !((_a = constants_1.APP_MAP === null || constants_1.APP_MAP === void 0 ? void 0 : constants_1.APP_MAP[appId]) === null || _a === void 0 ? void 0 : _a.clientId)) {
+        return (0, utils_1.sendResponse)(400, { status: "bad_request", reason: "invalid_app" });
+    }
+    const expectedClientId = constants_1.APP_MAP[appId].clientId;
+    // cookies
+    const cookies = parseCookieHeader(req.headers.get("cookie"));
+    const at = cookies[`__Secure-session-v1.${appId}.at`];
+    const rt = cookies[`__Secure-session-v1.${appId}.rt`];
+    if (!at && !rt) {
+        return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "no_tokens" });
+    }
+    // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)
+    let p;
+    try {
+        p = (0, jwt_decode_1.jwtDecode)(at);
+    }
+    catch (_r) {
+        return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "invalid_token" });
+    }
+    if (!(p === null || p === void 0 ? void 0 : p.sid)) {
+        return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "user_not_found" });
+    }
+    const now = Math.floor(Date.now() / 1000);
+    // if (typeof p.exp === "number" && p.exp <= now) {
+    if (typeof p.exp === "number" && p.exp >= now) {
+        // Delegate to refresh helper; it will handle setting cookies/state or returning an error
+        return yield getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);
+    }
+    // audience checks
+    const audOk = (Array.isArray(p.aud) && p.aud.includes(expectedClientId)) ||
+        (typeof p.aud === "string" && (p.aud === expectedClientId || p.aud === "account")) ||
+        p.azp === expectedClientId;
+    if (!audOk) {
+        return (0, utils_1.sendResponse)(403, { status: "forbidden", reason: "audience_mismatch" });
+    }
+    (0, cookies_1.setCookieKV)(ctx, 'ew', 'rre');
+    // pass data downstream
+    (_b = (_q = ctx).state) !== null && _b !== void 0 ? _b : (_q.state = {});
+    const tenantId = (_c = p.cfy_tid) !== null && _c !== void 0 ? _c : (p.iss ? new URL(p.iss).pathname.split("/").pop() : null);
+    ctx.state.auth = {
+        appId,
+        userId: (_d = p.sub) !== null && _d !== void 0 ? _d : null,
+        businessId: (_f = (_e = p.cfy_bid) !== null && _e !== void 0 ? _e : tenantId) !== null && _f !== void 0 ? _f : null,
+        tenantId,
+        email: (_h = (_g = p.email) !== null && _g !== void 0 ? _g : p.preferred_username) !== null && _h !== void 0 ? _h : null,
+        name: (_j = p.name) !== null && _j !== void 0 ? _j : undefined,
+        roles: (_p = (_m = (_l = (_k = p.resource_access) === null || _k === void 0 ? void 0 : _k[expectedClientId]) === null || _l === void 0 ? void 0 : _l.roles) !== null && _m !== void 0 ? _m : (_o = p.realm_access) === null || _o === void 0 ? void 0 : _o.roles) !== null && _p !== void 0 ? _p : [],
+        exp: p.exp,
+    };
+    return next();
+});
+exports.verifyMw = verifyMw;
+function getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next) {
+    return tslib_1.__awaiter(this, void 0, void 0, function* () {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p, _q, _r;
+        var _s;
+        // Attempt server-side refresh using RT
+        if (!rt) {
+            return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "expired_no_rt" });
+        }
+        // Resolve realm for refresh
+        let realmId = (_a = constants_1.APP_MAP[appId].auth) === null || _a === void 0 ? void 0 : _a.realm;
+        if (!realmId) {
+            try {
+                const issRealm = (p === null || p === void 0 ? void 0 : p.iss) ? new URL(p.iss).pathname.split("/").pop() : undefined;
+                realmId = (p === null || p === void 0 ? void 0 : p.cfy_tid) || issRealm || undefined;
+            }
+            catch (_t) {
+                realmId = undefined;
+            }
+        }
+        if (!realmId) {
+            return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "cannot_resolve_realm" });
+        }
+        ctx.info("refreshing token payload ----------------------", {
+            realmId,
+            expectedClientId,
+            rt
+        });
+        // Call auth service to refresh
+        try {
+            const resp = yield fetch(apiURL, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({
+                    realmId,
+                    clientId: expectedClientId,
+                    refresh_token: rt
+                })
+            });
+            if (!resp.ok) {
+                const text = yield resp.text();
+                (_b = ctx.warn) === null || _b === void 0 ? void 0 : _b.call(ctx, `refresh call failed: ${resp.status} ${text}`);
+                return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "refresh_failed" });
+            }
+            const payload = yield resp.json();
+            const data = (payload === null || payload === void 0 ? void 0 : payload.data) || {};
+            const newAT = data.access_token;
+            const newRT = data.refresh_token;
+            if (!newAT || !newRT) {
+                return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "invalid_refresh_response" });
+            }
+            // Set refreshed cookies for client session
+            (0, cookies_1.setCookieKV)(ctx, `__Secure-session-v1.${appId}.at`, newAT);
+            (0, cookies_1.setCookieKV)(ctx, `__Secure-session-v1.${appId}.rt`, newRT);
+            // Decode new AT and proceed
+            let p2;
+            try {
+                p2 = (0, jwt_decode_1.jwtDecode)(newAT);
+            }
+            catch (_u) {
+                return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "invalid_new_token" });
+            }
+            const audOk2 = (Array.isArray(p2.aud) && p2.aud.includes(expectedClientId)) ||
+                (typeof p2.aud === "string" && (p2.aud === expectedClientId || p2.aud === "account")) ||
+                p2.azp === expectedClientId;
+            if (!audOk2) {
+                return (0, utils_1.sendResponse)(403, { status: "forbidden", reason: "audience_mismatch" });
+            }
+            // Update downstream auth state with refreshed token
+            (_c = (_s = ctx).state) !== null && _c !== void 0 ? _c : (_s.state = {});
+            const tenantId2 = (_d = p2.cfy_tid) !== null && _d !== void 0 ? _d : (p2.iss ? new URL(p2.iss).pathname.split("/").pop() : null);
+            ctx.state.auth = {
+                appId,
+                userId: (_e = p2.sub) !== null && _e !== void 0 ? _e : null,
+                businessId: (_g = (_f = p2.cfy_bid) !== null && _f !== void 0 ? _f : tenantId2) !== null && _g !== void 0 ? _g : null,
+                tenantId: tenantId2,
+                email: (_j = (_h = p2.email) !== null && _h !== void 0 ? _h : p2.preferred_username) !== null && _j !== void 0 ? _j : null,
+                name: (_k = p2.name) !== null && _k !== void 0 ? _k : undefined,
+                roles: (_q = (_o = (_m = (_l = p2.resource_access) === null || _l === void 0 ? void 0 : _l[expectedClientId]) === null || _m === void 0 ? void 0 : _m.roles) !== null && _o !== void 0 ? _o : (_p = p2.realm_access) === null || _p === void 0 ? void 0 : _p.roles) !== null && _q !== void 0 ? _q : [],
+                exp: p2.exp,
+            };
+            // Continue pipeline after refresh
+            return next();
+        }
+        catch (e) {
+            (_r = ctx.error) === null || _r === void 0 ? void 0 : _r.call(ctx, "refresh exception", e);
+            return (0, utils_1.sendResponse)(401, { status: "unauthenticated", reason: "refresh_exception" });
+        }
+    });
+}
+//# sourceMappingURL=verify-middleware.js.map